Do third-party apps can access your Gmail inbox?

Google is pronounced on the investigation of email scanning made by third-party apps

Google has responded to a recent research on apps developed by third parties that scan Gmail inbox to collect marketing data, stating that it keeps a close surveillance at app and suspends developers who do not meet their privacy standards.

The pronouncement comes after a Wall Street Journal (WSJ) investigation that found that marketing companies performed automatic scans on e-mail inboxes and, from time to time, human operators analyzed and read some of the scanned mails.

The investigation argued that Return Path and Edison, marketing companies, did not adequately inform users that their emails could be read, while companies argue that their user agreements had enough disclosure, as deported by the WSJ.

According to secure data destruction experts, Google allows third-party apps, such as travel planners, calendars, and customer management systems, to add extra features within the email service. Those apps could have unrestricted access to view all of the user’s emails.

On the other hand, Google claims that third-party apps are reviewed to ensure that they are clear to users about the use of their data and ensure that apps do not ask for too many permissions; “We review non-Google apps to ensure that they continue to fulfill our policies and suspend them when they don’t”, say company spokespersons.

But WSJ research holds that Google doesn’t do much to control external developers, who analyze an amazing amount of email while essentially do self-control.

Email scanning

Secure data destruction specialists have long known the danger of adding third-party apps with access to email. Hackers are known to create fake apps to access email, distorting the app’s permissions.

Granting access to emails only takes one click. The attacker gets an access token to the victim’s account. That access persists even if a person changes his/her password, as reported by secure data destruction experts.

Google, Microsoft, and other cloud service providers have security panels that show other apps linked to an account. But it is possible that people only review the panels few times and neglect to revoke apps they don’t need.

According to reports from the International Institute of Cyber Security, before a non-Google app can access the user’s data, a permissions screen is displayed that informs the types of data that the app can access and how it can use that data.

Notifying consumers of these services is a central part of the European Union’s General Data Regulation Protection. This law is the strictest in the world In terms of information security, requires companies to disclose data collected on demand, make secure data destruction on demand, and establish consistent data policies.

Humans involved in the process

Return Path, a company specialized in adjusting marketing messages based on the level of read commercial emails, scanned up to 100 million of messages per day, according to the investigation of the WSJ.

But there are also humans reading these emails. The WSJ reported that Return Path employees read 8K emails two years ago to set up the company’s software. This was done after the Return Path email scanning software marked personal emails as commercial ones.

Edison Software, another company which makes an app for Gmail, also manually scanned hundreds of emails that it had access to, reports WSJ, although the investigation maintains that it does not have information to say that these companies have committed some breach.

Although users must grant access to third-party apps, there is concern about whether users fully understand the power they give to developers.

The Return Path platform for marketing specialists allows operators to see whether commercial content emails are read or not. You can see screenshots of the emails, although the name and addresses are removed, according to the investigation of the WSJ.